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@ An automated transaction system employs a ter- 
minal for printing a value indicia, such as a post- 
marlc, on an article. The terminal contains a modular 
printer unit which has a printhead and a dedicated 
microprocessor physically permanently lx>nded to- 
gether such that the printhead microprocessor can- 
not be physically tampered with without disabling the 
printhead. The modular printer unit includes a first 
supply of visible ink and a second supply of invisible 



ink, and an intemal program for printing the value 
indicia with visible ink and an authentication code, 
which uniquely corresponds to the value Indicia, with 
invisible ink. The invisible value indicia can t>e sut>- 
sequently verified as authentic by machine reading 
of said invisible authentication code and comparing 
the authentication code for conrespondence to the 
value indicia. 



Q. 

LU 



Rank Xerox (UK) Business Senrices 
t3. 10/3.09/3.3.4) 



EP 0 619 563 A1 




2 



1 



EP 0 619 563 A1 



2 



FIELD OF INVENTION 

The invention relates to an automated transac- 
tion system which receives with a user card having 
a microprocessor for executing secure transactions 
in which an article or item of value is dispensed 
from a terminal, and an account balance stored in 
the card's memory is debited. In particular, the 
invention is applied to a postage transaction sys- 
tem in which a postage account is maintained 
within the microprocessor card and is used In 
transactions with postage printing and metering ter- 
minals. 

?¥LK9?0UND OF INVE^ 

Point-of-sale (POS) terminals and automated 
teller machines (ATM) have been widely used in 
conjunction with various types of cards issued to 
users for sale or credit transactions. For example, 
banks regulariy issue account cards which have a 
magnetically coded number stored on a stripe for 
accessing the user's account through ATM termi- 
nals. Credit cards which have coded magnetic 
stripes are inserted in ATM or POS terminals to 
access a central account system for authorization 
of a credit transaction. There also have been pro- 
posals to use cards which have large non-volatile 
memories, e.g. magnetic, integrated circuit (IC), or 
optical memory storage, for storing and retrieving 
infomnation specific to the user, such as a medical 
history, biographical history, maintenance of an ac- 
count balance and transaction history, etc. 

These conventional systems generally employ 
a card which has a passive menrK>ry that is read in 
a card reader or computerized terminal maintained 
by a vendor. The security of the cards is problem- 
atic since most account cards used conventionally 
are passive and do not authenticate themselves or 
ttie particular transactions for which they are used. 
Instead, on-line access through a terminal to a 
central account system, such as bank or credit 
card account records, is required for confirmation 
of each transaction. This requirement places an 
access time and cost burden on vendors, such as 
bank branches and retail stores, which must main- 
tain the terminal facilities, as well as on the oper- 
ator of tfte central account system, which must 
provide sufficient on-line access for all the users or 
the system and ensure the security of the entire 
system. 

By comparison, off-line transactions, i.e. be- 
tween a user with an authorized card and a termi- 
nal not connected to a central account system, 
have the advantage ttiat the vendor does not have 
to confirm each transaction. A card bearer merely 
inserts the card in a terminal to pay for a purchase 
and tiie authorized amount of the card is debited 



for the amount of the transaction. In off-line trans- 
actions, the vendor's responsibility can be reduced 
and the transaction process simplified, so that a 
transaction can be completely automated through 

5 the use of widely distributed user cards and auto- 
mated terminals. 

However, off-line transactions are more vulner- 
able to the use of counterfeit cards and to tamper- 
ing with the terrninals. Thus, the cards have to be 

70 made secure and the transactions limited to small 
amounts. As an example of conventional card se- 
curity measures, a memory card can be divided 
into a number of separately validatable sectors of 
limited value which are irreversibly debited with 

fs each transaction, as disclosed in U.S. Patents 
4,204,113 and 4.256,955 to Giraud et al. A personal 
identification number (PIN) can be written into ttie 
card's memory at the time of issuance and re- 
quested of the user with each transaction. Tenni- 

20 nals are generally made secure by maintaining 
them in areas to whk:h access is restricted or 
supervised. Howev^, tiiese requirements increase 
the cost of operating the system and at the same 
time decrease its utility. 

25 The sophistication of card counterfeiting and 
credit fraud has increased vtrith the widespread use 
of account and credit cards, and even greater se- 
curity measures are currentiy needed to ensure the 
validity of card transactions. Conventional micro- 

30 processor cards employ resident programs to con- 
trol access to data stored on the card, store a 
selected user PIN to confirm an auhorized user, 
and prevent use of the card if an unauthorized user 
is detected, such as after a limited number of 

35 inconrect PIN entries. Although such microproces- 
sor cards provide greater security than passive 
cards, the overall system is still vulnerable in that, 
once a valid user's PIN has been ascertained, a 
stolen card can be used for unauthorized transac- 

40 tions In any terminal, and the tenminals themselves 
are subject to penetration. These vulnerabilities can 
be offset by limiting the authorized amount of the 
card, controlling access to the terminals, or requir- 
ing on-line confirmation of taransactions. However, 

45 such measures again increase tiie cost of the sys- 
tem and decrease its utility. 

One potential area of application of automated 
systems employing account or credit cards is in 
.postage vending and metering machines. Pur- 

50 chases of postage and mailing transactions are 
made primarily In person with cash through tellers 
at post offices. Only limited types of postage 
stamps can be purchased from public vending ma- 
chines. Most private postage metering machines 

55 have limited operational features and must have 
their metering devices removed periodically to a 
post office for refilling. The size and weight of the 
metering devices make them inconvenient to carry. 
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Some metering systems can t>e refilled by a re- 
mote computer, but the caller must still phone the 
computer center and execute the operator's 
instructions on the postage meter manually. 

The elimination of cash purchases, In-person 
mailing transactions, unnecessary limitations on 
automated postal services, and physical refilling of 
postage metering machines could greatly reduce 
the waiting lines at post offices and facilitate the 
wider dissemination of postage vending and meter- 
ing machines for the convenience of users and 
provide greater access to postal services. The use 
of account or credit cards for automated postal 
machines has been considered. However, the se- 
curity problems of conventional card automated 
systems would require that user cards be validated 
only for relatively small amounts of prepaid post- 
age, that vending and metering machines provide 
limited postal products and be refilled with limited 
total postage amounts, and that access to the ma- 
chines be strictly controlled. These restrictions are 
a substantial ot>stacle which contribute to the dif- 
ficulty of implementing an automated postal trans- 
action system. 

In view of the foregoing disadvantages and 
problems of conventional systems, it is a primary 
purpose of the invention to provide an automated 
transaction system which has security features that 
will facilitate the widespread use of account or 
credit cards for off-line transactions and the dis- 
semination of automated transaction terminals to 
which access does not have to be strictiy con- 
trolled. A principal object of the invention is to 
provide an interactive card/terminal system in 
which the card and the terminal each have a secu- 
rity feature which prevents the completion of a 
requested transaction unless a secure handshake 
recognition procedure is mutually executed be- 
tween the card and the terminal such that they 
each recognize the other as authorized to execute 
a transaction. In particular, it is desired that the 
card and the terminal cooperate together to ex- 
ecute a simultaneous dispensing of value by the 
terminal and debiting of an authorized balance by 
tiie card. 

A specific object of the invention is to apply 
the above-mentioned automated transaction system 
to postage metering machines. A furtiier object is 
to provide a new generation of card automated 
postal terminals which have greater flexibility in the 
range of postal products and services offered, 
wherein the terminals are individually secure and 
can be accessed in relatively unrestricted areas, 
and the cards can be refilled at any desired loca- 
tion through secure refilling tenminals validated by 



the issuer. 

in accordance witii the purposes and objects of 
the invention, a card automated transaction system 
employs a card having a secure, resident micropro- 

5 cesser which operates to confirm that a requested 
transaction is authorized and to then initiate an 
interactive handshake recognition procedure with a 
resident microprocessor in the value dispensing 
section of an automated terminal. Upon successful 

10 completion of the handshake procedure, the card 
microprocessor and the dispensing section micro- 
processor simultaneously actuate the dispensing of 
the requested article or item of value and the 
debiting of an authorized balance from the card. 

75 A particular embodiment of the invention is a 
mutual handshake recognition procedure executed 
as follows: (1) upon confirming that a requested 
transaction is authorized, the card passes to the 
terminal a word comprising a randomly generated 

20 or other object numt)er encrypted by a first resi- 
dent algorithm and a key number stored in tfie 
card; (2) the terminal decodes the number using a 
conresponding inverse of the first algorithm and the 
key number; (3) the terminal sends back to the 

25 card a second word comprising the decoded ran- 
dom number encrypted by a second reskJent al- 
gorithm and the key number; (4) the card decodes 
the second word using a corresponding inverse of 
the second algorithm and the key number and 

30 compares the decoded number to the one original- 
ly sent; (5) if the numbers match, the card micro- 
processor debits its authorized t>alance for the in- 
dicated amount of the transaction and sends an 
actuation signal to the terminal to proceed with the 

35 transaction; and (6) upon receipt of the actuation 
signal, the dispensing microprocessor actuates the 
dispensing section to complete the transaction. The 
transmitted actuation signal may also be encrypted 
and decoded by the above algorithms or a similar 

40 method- 

Under the prindples of the invention, the 
above-descrit>ed interactive card automated trans- 
action system is applied to postage metering ma- 
chines. In one embodiment, a postage metering 

45 terminal has a slot for receiving a microprocessor 
card issued with an authorized balance, a print 
head with a secure microprocessor which interacts 
with the card microprocessor, a keypad, a display, 
and an operations microprocessor which accepts a 

50 keyed input of the postage amount requested, dis- 
plays the keyed input, queries the card to authorize 
and initiate the postage printing transaction, and 
ttien resets the machine for the next transaction or 
executes a series of transactions in a repeat mode. 

55 in a related embodiment, a postage metering 
terminal has a first slot for receiving a user micro- 
processor card, a second slot for receiving a postal 
rate card, a print head with a secure microproces- 
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sor. a keypad and other means for entering source 
and destination (postal zip) codes, means for enter- 
ing the weight and postal class of the article to be 
mailed, and an operations microprocessor having a 
program for calculating the correct postage based 
upon the listings of the rate card and the keyed-in 
information. 

The card automated postal transaction system 
can be readily applied not only to the postal pro- 
ducts and services of the U.S. Postal Service, but 
also to private carriers and parcel delivery com- 
panies. In a further embodiment, a postal waybill 
terminal has a third slot for receiving a special 
servk»s card whrch has stored data from which the 
terminal can print postal and delivery services in- 
formation on standard form blanks, For example, 
the special services card can be used to print Post 
Office forms, such as Certified Mail or Registered 
Mail, or the wayt>ills of private carrier companies. 
The terminal is also provided with a full field dis- 
play of the waybill fbnm. prompts the user for 
information by programmed cursor movements, 
and has command keys for inputting sender and 
addressee information, rate or service class, waybill 
nurnt>er, carrier information, etc. 

As subsidiary features, the miaoprocessor 
cards can be configured to provide different types 
of access to the terminals as desired, for example, 
limited numtt)ers or types of users in limited num- 
bers or types of machines, unlimited users in limit- 
ed machines, limited users in unlimited machines, 
or unlimited users in unlimited machines. The dif- 
ferent types of access can be implemented by 
storing key numt>ers in the card for klentifying 
authorized users and/or machines, and/or key num- 
bers in the temninal operations microprocessor for 
Identifying authorized users. The user cards can 
also be configured at the time of issuance for limits 
to the amounts and types of individual transactions, 
and temporary or penmanent locking upon detec- 
tion of an unauthorized user or card. Another sys- 
tem feature is the storing of a history of transac- 
tions executed by the card, and the recomputing of 
the remaining balance upon each transaction re- 
quest, in order to save card memory space. A 
separate transaction printer may be used to otjtain 
a printout of the card's transaction history. 

The postage metering terminals according to 
the invention are also provided with means for 
allowing a post office or carrier to authenticate the 
postage marks or waybills that are printed. In one 
emtxxiiment, the terminal printer prints within or 
under the postmark a coded number or sequence 
of marks corresponding to an element of the post- 
mark, such as the amount of postage, the terminal 
identification number, and/or the sender's zip code. 
The marks may be disguised or made invisible by 
printing with a magnetically or optically readable 



Ink to deter tampering or unauthorized simulation. 
They may then be machine-read by the post office 
or private carrier company to determine whether 
the printed postmark was printed by an authorized 

5 printer, and at the same time provide an audit trail 
to the sender. 

In accordance with a further applteation of the 
invention, an integrated system of microprocessor 
cards and terminals provides transaction facilities 

10 which permit widespread use and convenient ac- 
cess to users. The authorized amount of the user 
card may be initially validated or refilled from a 
master refilling card, which has a larger authorized 
amount, preferably in conjunction with a supervisor 

75 card issued under strict distrit>ution control. A refill- 
ing terminal is provkJed with three insertion slots 
for the three cards, and has an operations program 
to check the identity of the master refilling card 
and the user card to determine if they are valid for 

20 use in the refilling terminal. Upon clearance, the 
secure handshake recognition procedure must be 
successfully executed between the microproces- 
sors of the supervisor and master cards in order to 
pemnit a debit to the master card of the refill 

25 amount and a credit to the user card. If the user 
card is a new card, a validation procedure and the 
selection and storing of a user PIN are executed. 

The card automated transaction system of the 
invention has broad applicability to many other 

30 types of purchase or credit transactions besides 
postal services and products. For example, it can 
also t>e used for credit card transactions, inventory 
control, bills of lading, automated cash machines, 
or virtually any other type of transaction in which a 

35 user account must be securely debited through an 
automated terminal in exchange for an article or 
item of value. The invention is especially advanta- 
geous in off-line transactions in which distributed 
terminals not under strict access controls are used. 

40 The above principles, advantages, and features of 
the invention are descrit)ed in further detail t)etow 
in conjunction with the following drawings. 

TOIEF DESCRIPTION OF DRAWINGS 

45 

Rg. 1 illustrates schematically a preferred em- 
txxjiment of an automated postal transaction ter- 
minal using a microprocessor card in accor- 
dance with the invention; 

50 Fig. 2a shows a structure in the emtxxJiment of 
Rg. 1 for executing a secure handshake rec- 
ognition procedure between the microprocessor 
card and a value dispensing section of the ter- 
minal, and Rg. 2b outlines the handshake se- 

55 quence; 

Rg. 3 illustrates the multiple levels of security 
provided by the system of Rg. 1 ; 
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Fig. 4 shows another embodiment of the postal 
transaction terminal of the invention which re- 
ceives a rate card for aiitomaticalty computing 
postal amounts; 

Rg. 5 is a flow diagram of the operation of the 
tenminal of Rg. 4; 

Rg. 6a shows the use of coded marks for au- 
tiientication of a postmark printed by a postal 
transaction terminal, and Rg. 6b shows one ex- 
emplary fonnri of authentication coding; 
Rg. 7 illustrates schematically a preferred em- 
tXKliment and an optical scale of an automated 
waybill printing terminal using a microprocessor 
card and a special services card in accordance 
with the invention; 

Rg. 8 is a flow diagram of the operation of the 
tenninal of Rg. 7; 

Rg. 9 illustrates a standard form of waybill and 
cursor prompts for filling in its information fields; 
Rg. 10 illustrates schematically a prefenred em- 
bodiment of an automated refilling terminal us- 
ing a mteroprocessor card, a master card, and a 
supervisor card in accordance with the inven- 
tion; 

Rg. 11 is a flow diagram of the operation of the 
terminal of Rg. 10; and 

Rg. 12 shows the integrated system of micro- 
processor cards, memory cards, and terminals 
of the invention. 

DETAILED DESCRIPTION qFJ^^^^ 

In accordance with the t>asic principles of the 
invention, an automated transaction system em- 
ploys a microprocessor card in an automated trans- 
action terminal. Various types of microprocessor 
cards are available commercially, and the technol- 
ogy of manufacturing such cards and using them in 
terminal devices is well understood. As an exam- 
ple, Mk:ro Card Technologies inc. of Dallas, Texas, 
makes the Micro Card Mask M4 card which is a 
standard (ISO) size, similar to a credit card, having 
an 8-bit microprocessor, 8 contact pinout. 9600 bps 
asynchronous serial exchange protocol. 12.8 Kbits 
of Read-only memory (ROM). 288 bits of Random 
Access Memory (RAM), and 8 Kbits of Eras- 
able/Programmable ROM (EPROM). An anray of 
electrical contacts provided in one section of the 
card connects with the corresponding contacts in 
the tenminal to allow the card microprocessor to 
communicate data with the terminal. It is of course 
understood that other types of data communicating 
connections can be used, such as. for example, by 
magnetic induction. 

The conventional microprocessor card as used 
in the present invention operates by executing an 
internally stored program (firmware) which cannot 
be accessed from the outside. The finnware may 



be written in randomized form to secure it against 
tampering from the outside. An electrically prog- 
rammable (EPROM) memory portion associated 
with the microprocessor of the card is generally 

5 divided into three zones: a secret zone which can 
only k>e accessed internally; a protected read/write 
zone whtoh can only be accessed after a key 
number or PIN has been confirmed, and a free- 
reading zone. The card is used in a terminal for 

10 perfonming desired functions in accordance with 
the rules, procedures, and data stored in or ex- 
ecuted by the card and the terminal. 

When conventional microprocessor cards are 
issued to individual users, a validation procedure is 

75 executed on a validating terminal. The procedure 
generally requires the issuer to enter the conrect 
manufacturers' serial number of the card in order 
to confirm that the card is authorized. A PIN is then 
assigned to or selected by the cardholder and 

20 stored in the secret zone Moreover, a secret key 
number unique to the issuer, whk:h may be com- 
mon to a class or chronological series of cardhol- 
ders, may also be stored in the secret zone. In 
some card systems, the secret key is used as an 

25 argument of an encryption algorithm to send an 
encrypted word to the terminal for verification. If 
the word can be decoded by the terminal to derive 
the secret key, the card is presumed to be authen- 
tic. Upon completion of the validation procedure, 

30 the card MPU Inreversibly alters its program so that 
no further words can be written in the secret mem- 
ory zone. Thereafter, upon using the card, a user 
must enter the conrect PIN in order to confimn that 
the card is being used by its auttiorized user. 

35 Conventional microprocessor cards also have the 
feature of temporarily or permanentiy locking the 
card from use if a succession of incorrect PIN 
entries on a terminal is detected. 

At the time of issuance, an amount in monetary 

40 or other units is validated for the card being issued. 
In conventional cards, the amount is permanently 
written in one of a plurality of transaction sectors in 
the protected memory zone. Each time the card is 
to be "filled" with a new amount, one of the sectors 

45 is unlocked and written with a new amount by the 
issuer. Thus, a limited authorized amount can be 
written each time, and the card is then refilled a 
number of times before its memory space is used 
up. This is a security feature to minimize monetary 

50 loss in case the card is lost or stolen. The au- 
thorized amount is decremented with each transac- 
tion and a new balance is written until the balance 
is used up. Although any amount or balance can 
be written into the card's transaction memory, as a 

55 further security feature the card may prevent a 
t>alance being written which exceeds a predeter- 
mined limit or a previously written balance. 
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A card automated transaction system incor- 
porating the particular features of ttie invention will 
now be described. It should b>e understood that 
although particular embodiments are described, the 
invention is not limited to such embodiments, but 
encompasses all modifications and variations which 
use the principles of the invention. For purposes of 
this description, the transaction terminal is selected 
to be a postage metering terminal for printing a 
postmark on a label, envelope, or waybill for arti- 
cles to be mailed or shipped. However, it should be 
understood that the general principles of the inven- 
tion have broad applicability to any type of transac- 
tion terminal in which a microprocessor card may 
be used. For example, the terminal may also be a 
cash or article dispensing machine or a printer 
which prints validation marks, coupons, receipts, 
tickets, inventory documents, etc. 

P(^tegeJ4etoring_TejTnina^ 

Refenring to Rg. 1, a microprocessor card 10, 
as previously described, is adapted to be inserted 
in a card insertion slot 11 of an automated terminal 
device 20. Tfie smartcard 10 has a contact section 
12 which has a numt>er of contacts 13 connected 
to the pinout leads of an IC chip including a micro- 
processor unit (card MPU) 60 laminated beneath a 
protective layer of the card contact section 12. The 
contacts 13 are mated with conresponding contacts 
23 of a terminal contact section 22 upon insertion 
of the card 10 into the slot 11 in the direction 
indicated by arrow A. As the card is inserted, its 
leading edge abuts a part of the terminal contact 
section 22 which is moved In the same directton, 
indicated by arrow B. so as to merge in operative 
electrical contact with the card contact section 12. 
A trip switch 22a is provided at the base of sk)t 11, 
and triggers a start signal to an operations micro- 
processor (terminal MPU) 30 when the card has 
been fully inserted in position in the slot. 

The card MPU 60 executes an internally stored 
(firmware) program to check whether a requested 
transaction is authorized and, prior to debiting the 
card account balance, to perform a secure hand- 
shake recognition procedure (described further be- 
low) with a microprocessor in the terminal. Al- 
though the handshake procedure can be performed 
with an operations microprocessor for the terminal, 
or one remote to the terminal, it is preferred in the 
invention that the procedure be performed with a 
secure microprocessor embedded in the actual val- 
ue dispensing section of the tenminal. The value 
dispensing section is a separate element in the 
terminal, and its microprocessor is made physically 
secure, such as by embedding it in epoxy. so that 
any attempt to tamper with it would result in ren- 
dering the value dispensing section inoperative. For 



the postal transaction terminal of the invention, the 
microprocessor is embedded in the printer unit 
which prints the postmark. 

The terminal contacts 23 are connected with 

5 the functional parts of the terminal, including a 
Clock synchronizing connection 24, a Reset con- 
nection 25, an operational voltage Vcc connection 
26, an Input/Output (I/O) port 27, an EPROM-writing 
voltage Vpp connection 28, and a ground connec- 

70 tion 29. The terminal MPU 30 controls the interface 
with the card and the operation of the various parts 
of the terminal, including a keyboard 31, a display 
32, such as an LCD, and a postmark printer 40, 
which is the value dispensing section of the termi- 

75 nal. A power source Vo is provided by a battery 
and/or an external AC or DC line to power the 
various parts of the terminal. 

The printer 40 has a microprocessor unit (print- 
er MPU) 41 which individually and uniquely con- 

20 trols the operation of a print head 42, such as an 
electrothermic or impact print head. The MPU 41 
executes an internal program (firmware), like the 
card microprocessor, so that it cannot be tampered 
with from the outside. The printer MPU*s intemal 

25 program includes unique encryption algorithms 
parallel to those stored in the card's microproces- 
sor, installed by the manufacturer, so that the print- 
er MPU can execute a secure handshake recogni- 
tion procedure with the card's microprocessor to 

30 authorize a requested transaction. The MPU 41 is 
also formed integrally with the print head 42, such 
as by emt>edding in epoxy or the like, so that it 
cannot be physically accessed without destroying 
the print head. Thus, according to the invention, the 

35 print head 42 of the postage metering terminal 20 
can only be operated through the MPU 41, and will 
print a postmark only when the handshake recogni- 
tion procedure and a postmark print command 
have been executed between the card MPU and 

40 the printer MPU 41. 

When a terminal is to t)e installed by the issuer 
in a location or distributed to a retail intermediary 
for field use, the issuer may also execute a valida- 
tion procedure for the terminal similar to that for 

45 the card. A secret key number may be written in 
the secret memory zone of the printer MPU 41 , so 
that postage printing transactions can only be ex- 
ecuted with cards provided with the corresponding 
secret key number. Thus, cards validated by an- 

50 other issuer, even though obtained from the same 
manufacturer, will not be usable in the first-men- 
tioned issuer's machines. 

The terminal MPU may of course be used for 
the handshake recognition procedure. However, it 

55 is preferable to have the procedure executed by 
the part which is actually dispensing the article of 
value, and to leave the terminal MPU operable for 
general terminal operations. A machine ID number 



7 



11 



EP 0 619 563 A1 



12 



(MIN) may also be assigned to the terminal so that 
it can be recorded in the transaction history main- 
tained on the card. As a further feature, the MIN for 
one or more of the issuer's terminals can be stored 
in cards which are to be used only in those termi- 
nals. Thus, In an automated terminal system pro- 
vided for one company, the terminals within the 
company can only be used with the cards issued 
to the employees of that company which have the 
company's secret key number and, optionally, the 
terminals within a department of the company may 
be configured to accept only cards provided with 
the MINs of that department's machines. 

The interactive operation of the card/terminal 
system will now be descrik>ed. Upon Inserting a 
card in slot 11. the trip switch 22a is triggered, and 
the terminal MPU 30 initiates an identification re- 
quest procedure to confirm that the card is t)eing 
used by an authorized user. For example, the ter- 
minal MPU may cause a prompt to appear on the 
display 32 requesting that the user enter a PIN. 
The number entered by the user is sent by the 
terminal MPU to the card MPU where it is checked 
against the PIN number(s) stored in the secret 
zone of the card's memory. If the number matches, 
the card MPU notifies the terminal MPU 30 to 
proceed. If the card Is restricted for use only in 
particular machines, the card may request the ter- 
minal's MIN and check it against a stored list of 
authorized terminal numbers. If the terminal is re- 
stricted for use only with certain cards, the terminal 
may check the PIN or a card identification or 
account numt)er against a stored list of authorized 
card numbers. As another security feature, the card 
program may check the number of incorrect PIN 
entries attempted or a card expiration date written 
in memory at the time of issuance. If the incorrect 
PIN entries exceeds a predetermined numt)er, or if 
the cun^ent date indk:ated from the terminal MPU 
30 is past the expiratton date, the card MPU 60 can 
lock the card against further use until the user has 
had it revalidated by the issuer. 

If the initial confirmation procedures are 
passed, the terminal MPU 30 next prompts the 
user to enter Information for a postage transaction. 
The user inputs on keypad 31 the amount of post- 
age requested and. as a further option, the zip 
code of the sender's location and the date. As the 
information is supplied in sequence. i.e. "Amount", 
"Zip", and "Date", it is displayed on display 32 for 
confirmation. AHematively. the date may be main- 
tained by the terminal MPU 30. and displayed for 
user confinnnation. When all the conrect Informatkm 
has been entered, an edge of an envelope 51 to t)e 
mailed, or a label or mailing form to be attached to 
an item to be mailed, is inserted in a slot 50 on 
one side of the postage metering temninal 20. The 
movement of the lat)el or envelope may be con- 



trolled to bring it in registration with the print head, 
as provided in conventional metering machines. 
The user then presses the "Print" key to initiate a 
postage printing transaction. 

5 

Handshake Recognition Pro<^ure 

A basic principle of the invention is that the 
actual execution of a value-exchanging transaction 

10 is securely controlled by a mutual handshake rec- 
ognition procedure t>etween a secure microproces- 
sor maintaining the card account t)alance and a 
secure microprocessor controlling the value dis- 
pensing operation. The card's MPU must recognize 

75 the value dispensing section's microprocessor as 
valid, and vice versa, in order to execute a transac- 
tion. The card and the value dispensing sectton 
therefore can each remain autonomous and pro- 
tected against counterfeiting or fraudulent use even 

20 if the security of the other has been breached. 
Since they are autonomous, the cards and tenni- 
nals can be distributed widely with a km risk of 
breach of the system and without the need for 
strict access controls. It thus has significant cost 

25 and security advantages over conventional card 
automated transaction systems. 

A two-way encrypted handshake embodiment 
will now t>e described. However, it should be un- 
derstood that the invention is intended to encom- 

30 pass any mutual handshake procedure by which 
the card and dispensing microprocessors can rec- 
ognize the other as authorized to execute a re- 
quested transaction. In the preferred postage temni- 
nal embodiment the handshake procedure is ex- 

35 ecuted between the card MPU 60 and the printer 
MPU 41. As illustrated schematically in Rg. 2a, 
when the "Print" key signal is received by the 
terminal MPU 30, the latter opens a channel 61 of 
communicatkm between the card MPU 60 and the 

40 printer MPU 41. A "commence" signal and the 
amount of the requested transaction, i.e. postage, 
is then sent from ttie terminal MPU 30 to the card 
MPU 60, and a similar "commence" signal to the 
printer MPU 41, in order to prepare the way for the 

45 handshake procedure. 

Refening to Rg. 2b, the card MPU 60 initiates 
the handshake procedure upon receipt of the 
"commence" signal by first verifying if the re- 
quested amount is available for the transaction. As 

50 an advantageous feature of the invervtion, the card 
MPU 60 checks the available balance of the card 
and (if implemented in the card's program) whether 
the requested transaction is within any limits speci- 
fied by the card issuer. For example, use of the 

55 card can be limited to a maximum postage amount 
and/or class of postage for each transaction or a 
cumulative total of transactions. Upon verifying that 
the requested transaction is authorized, the card 
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MPU 60 encrypts an object numt)er N, which may 
be a randomly generated number, with a key num- 
ber k1 (which may be the user's PIN) stored in the 
secret zone of its memory by a first encryption 
algorithm El and sends the resultant word W1 
through the handshake channel 61 of terminal MPU 
30 to the printer MPU 41. 

Upon receipt of the word W1 , the printer MPU 
41 decodes the number using the same number k1 
by the Inverse algorithm EV. The number k1 may 
be a secret key number stored in the printer MPU*s 
memory at the time of validation, or in an open 
system, it may be the PIN entered by the user on 
the tenminal, or a combination of both. The printer 
MPU 41 then encrypts the decoded numt>er with 
the number k1 by a second encryption algorithm 
E2 to send a second word W2 back to the card 
MPU 60. 

Upon receipt of the word W2, the card MPU 60 
decodes the number again using the key number 
k1 by the inverse of this second algorithm E2*, and 
compares the decoded numt)er with the numt)er it 
used in the first transmission. If the numt)ers 
match, the handshake procedure has been suc- 
cessfully completed, and the card and printer 
MPUs have recognized each other as authorized to 
execute the requested transaction. The card MPU 
then debits the postage amount from the card 
balance, and then sends a print command and the 
postage amount to the printer MPU. The printer 
MPU prints the postage on envelope 51. in 
cooperation with the terminal MPU 30 whic controls 
the movement of the envelope under the print 
head. The printer MPU then sends an "end" signal 
to the terminal MPU 30, which accordingly switch- 
es off the handshake channel 61 and resets itself to 
receive the next transaction request. 

In the preferred emtxKliment, the card MPU 60 
stores only the amount of the transaction in its 
transaction record, and does not store the new 
balance. Instead, the t)alance is recomputed from 
ttie original authorized amount and the stored his- 
tory of transaction debits at the time a transaction 
is requested. This procedure substitutes the MPU*s 
computing power to save a significant amount of 
card EPROM memory space. 

The card automated transaction system of the 
invention is provided with high security at a plural- 
ity of levels, which is particularly advantageous for 
off-line transactions involving large numbers of is- 
sued cards and widely distributed terminal devices. 
As depicted in Rg. 3, the encryption algorithms are 
provided at the first security level i by the manu- 
facturer, the secret key, PIN. and/or MIN are pro- 
vided at security level II by the issuer, the PIN is 
used at security level 111 by a particular user, and 
the MIN and/or secret key may fc>e used at security 
level IV to operate a particular machine(s). 



At level I, the print head of the terminal is only 
operable to dispense value, l.e. print postage, if the 
encryption algorithms provided by the manufac- 
turer match those of the card, thereby protecting 

5 against counterfeit cards and terminals. Even if the 
security or the manufacturer has been penetrated, 
and the encryption algorithms have been obtained 
by a counterfeiter, the secret key may be assigned 
at level II by the issuer and used in the handshake 

TO procedure, thereby deterring the use of counterfeit 
cards and terminals which do not have the secret 
key. At security level 111, a card can only be used to 
operate a terminal if the con'oct PIN is known, and 
if initial confirmation procedures are passed. At 

75 security level IV, a card can only be used in a 
particular terminal identified by the correct MIN. 

A related emtKxJiment of the invention is illus- 
trated in Fig. 4 which employs a second card 
having postal rate data stored in memory to com- 

20 pute the correct postage automatically. A terminal 
20, similar to the one previously described, in- 
cludes a second slot 91 for a "rate" card 90. The 
terminal has a slot 50 in which a postal lat>el or 
envelope 51 is inserted for imprinting by the printer 

25 40. For a parcel 52, the label 51 is printed then 
affixed to the parcel for mailing. A scale 53 may be 
connected to the terminal and MPU 30 to provide 
the weight of the envelope or parcel 52. 

The rate card has a memory device 92, prefer- 

30 ably an IC ROM, which Is accessed and read by 
the terminal MPU 30 through contact portion 93 
mated in contact with the pinout terminals of the 
memory device. Switches 22a and 92a provide 
signals when the user and rate cards have been 

35 inserted in the respective slots. Insertion of the 
user card initiates operation of the terminal. If a 
rate card is not inserted, the terminal MPU 30 can 
instead request the appropriate postal amount from 
the user by a prompt on the display 32. The 

40 terminal MPU may also have a mode for reading 
postal rates from the rate card. 

The program operation of the postage metering 
tenminal 20 is illustrated in block diagram form in 
Rg. 5. Upon insertion of the user card 10 in slot 

45 11, the user confirmation procedures previously 
descrit)ed are carried out between the terminal 
MPU 30 and card MPU 60. If an unauthorized card 
or user is detected, the card is locked and the 
terminal operations are terminated. If a valid user 

50 card is confirmed, the terminal program then 
checks if a rate card 90 is inserted and whether it 
is valid. Validity can be determined by the issue 
number of the card , or by an indicated expiration 
date. If there is no rate card, the temninal MPU 

55 requests the user to input the desired postage and 
goes to the print key decision block 97. If a valid 
rate card is present, the tenminal program requests 
the codes for the source and destination of the 
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item and the class of mail desired. TTie program 
then checks for a signal from the scale 53 indicat- 
ing the weight of the item. If no scale is connected 
or weight Indicated, the program requests the user 
to Input the information. 

The rate card memory contains a current listing 
of the rates for a particular carrier divided accord- 
ing to zone classifications, weight, and/or type of 
mail. For the U.S. Postal Service, the postage 
amount is calculated based upon the origin and 
destination zip codes, class of mail, and weight by 
looking up tables stored in the rate card memory 
92. If the "Print Key" is depressed, the terminal 
program then sends the "commence" signal to the 
card MPU ar>d printer MPU to execute the hand- 
shake procedure and debiting and printing oper- 
ations as previously described. If an "Auto" mode 
key of the terminal has t>een pressed or the user 
elects to continue in response to a prompt, the 
tenminal program returns to the beginning of the 
transaction loop indicated at block 94. The "Auto" 
mode may t>e used in conjunction with an auto- 
matic feeder for postmarking a series of envelopes 
or labels. The terminal operation is terminated if 
the transaction loop is not continued, or if the 
handshake procedure is not completed. 

Postmark Au^enticaton 

In accordance with the principles of the Inven- 
tion as applied to postage metering terminals, a 
postmark authenticating procedure will now be de- 
scrit)ed. The procedure is provided as a security 
feature to deter the printing of a counterfeit post- 
mark by a printer, copier, o other facsimile device 
which is not authorized by the issuer of the atx)ve- 
descrit)ed card/terminal system. Conventional high 
resolution printers and graphrcs capabilities of per- 
sonal computers present an increasing risk that 
value-confirming marks, such as a postmark, ticket, 
coupon, etc. can be simulated by a counterfeiter. In 
the invention, an underiying and/or invisible ma- 
chine readable code is printed first and then over- 
printed with the human readable postmark. The 
code can be uniquely selected by the issuer of the 
postage card/terminal system, and periodically 
changed to eliminate any benefit from gaining un- 
autiiorized access to the code. Further, the code 
can be printed with ink that is invisible in the 
nomnal light spectrum, so that it is readable only 
with a magnetic, infrared, or ultraviolet reader. 

Referring to an example shown in Rgs. 6a and 
6b, a conventional imprinted postmark has a logo 
or graphic design 70, text 71 Indicating that the 
postage is issued through the U.S. Postal Service, 
numbers 72 indicating the postage amount, as well 
as the date 73. city 74, state 75, and zip code 76 
of origin, and the identification number 77 of the 



postage meter from which the postmark was print- 
ed. In the invention, coded marks 78 are printed 
t)eneath the visible postmark in a predetermined 
code field 79 in invisible, machine readable ink. 

5 The algorithm for the coded marks is selected by 
the Issuer, for example, representing the binary 
equivalent of the postage amount, i.e. "90" cents In 
Rg. 6a. shown in binary form in Rg. 6b. The coded 
marks can represent any other element of the 

10 postmark, such as the meter Identification number 
or zip code. Altematively, a bar code 83 can be 
printed with a postmark information section 83a 
and a check code section 83b, which Is encrypted 
based upon one of the postmark elements. The 

IS postmark element and/or the encryption algorithm 
can be uniquely selected by the Issuer. Even if the 
coded marks are printed in visible form, the en- 
cryption of a variable postmark element, such as 
the sender's zip code, date, or postage amount. 

20 will make copying difficult. 

The printing off the postmark and authentication 
code can readily be incorporated in the 
card/tenminal system illustrated in Rg. 1. The print- 
er 42 Is provided with a memory 43 to which data 

25 representing the visible information of the postmark 
and the computed binary or other selected check 
code or converted bar code is transmitted from the 
terminal MPU 30 and stored. The fixed graphics of 
the postmark may be stored in a memory as- 

30 socated with the MPU 30. which is preferable if the 
same terminal has the capability of printing a vari- 
ety of postmark graphics for different carriers 
and/or classes of service, or it may k>e permanently 
stored in a section of the printer memory 43. The 

35 fixed graphics may Instead be stored in the card's 
memory and loaded by tenninal MPU 30 in the 
printer memory 43 for a requested transaction. 
Alternatively, the fixed graphics may be provided 
on a platen which operates with the print head if 

40 only one type of postmark is to be printed. 

In the preferred form, the print head 42 is an 
impact printer which has two ink ribbons 42a and 
42b, one of invisible, machine readable ink and the 
other of visible ink. When the handshake procedure 

45 has been completed, and the print command is- 
sued by the card MPU 60, the printer MPU 41 
accesses the data stored in the memory 43 and, in 
a first pass, prints the coded marks in invisible ink 
then, iri a second pass, prints the visible postmark 

50 information. 

As indicated in fig. 6a, when mail or other 
articles are subsequentiy presented to a central 
mail routing and distribution system, such as that 
of the U.S. Postal Service or a private carrier, the 

55 postmark may be passed under a detector 80 
which has a visible light spectrum reader 81 and a 
code reader 82, such as a magnetic, infrared, or 
ultraviolet reader, or a bar code reader 83 for bar 
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code marks. If the code marks are absent or if the 
check code does not conrespond to the element of 
the postmark selected for coding, an audit record 
can be made of the non-conformity, for example, 
by recording the meter identification number, date, 
and zip code of origin. An investigatton of the 
source of the unauthorized postage can then be 
initiated if numerous articles are found bearing un- 
authorized postmarks. The postmark authentication 
marks of the invention thus provide an additional 
level of security against counterfeiting which is not 
offered in conventional postal metering machines. 

PostalJAfaybiH Terminal 

A further embodiment of the invention is illus- 
trated in Rg. 7 whteh is adapted for printing stan- 
dard form waybills for mailing articles using a wide 
range of postal or private carrier services. A termi- 
nal 20' includes a skit 11 for a user card 10, a 
terminal MPU 30, a printer 40 and printer MPU 41, 
a keyboard 31', and a display 32', as previously 
described with respect to Rg. 1. The terminal also 
includes a second slot 91 for a "rate" card 90 and 
a third slot 101 for a "special servtees" card 100. 
The terminal has a slot 50 in which a standard 
waybill form 51' is inserted for imprinting by the 
printer 40. The waybill 51' is then affixed to an 
envelope or parcel 52 for mailing. A scale 53 can 
be connected to the terminal and MPU 30 to auto- 
matically provide the weight of the parcel 52. 

The rate and special services card have mem- 
ory devices 92 and 102, respectively, which are 
preferably IC ROMs that are assessed and read by 
the terminal MPU 30 through contact portions 93 
and 103, respectively, mated in contact with the 
pinout terminals of the memory devices. Switches 
22a, 92a, and 102a provide detection signals when 
the cards have been inserted in the respective 
slots. A display 32' provkfes a full field conrespond- 
ing to the appearance of the wayt>ill form, and the 
keyboard 31' includes a full set of alphanumeric 
characters and command keys. 

The rate card memory contains a current listing 
of the rates for a particular carrier. For example, if 
the canier is the U.S. Postal Services, the Post 
Office rates are listed according to zone classifk:a- 
tions, weight, and class of mail. The special ser- 
vices card memory contains a program for filling 
out a standard waybill form in accordance with the 
information required by and with indicia identifying 
the mailing services of a particular carrier. For 
example, if the canier is the U.S. Postal Servk:e, 
the special services card can provide the programs 
for printing waybills for Express Mail, Certified Mail, 
Registered Mail, Insured Mail, etc. 

The program operation of the postal waybill 
terminal 20' is illustrated in block diagram iom in 



Rg. 8, and a sample waybill form is shown in Rg. 
9. Upon Insertion of the user card 10 in stot 11, the 
user confirmation procedures previously descrit)ed 
are earned out tietween the terminal MPU 30 and 

5 card MPU 60. If an unauthorized card or user is 
detected, the card is locked and the terminal oper- 
ations are terminated. With a valid user card, the 
terminal program then checks if a rate card 90 
and/or a special services card 100 is inserted and 

70 whether each is valid. Validity can be determined 
by the issue number of the card or by an indicated 
expiration date. If there is no rate card or special 
services card, the terminal MPU requests the user 
to input the desired postage and goes to the print 

T6 key decision block 121. The terminal is then used 
to print a postmark or postage \abe\ as described 
previously. If a valid services card is present, ttie 
tenminal program displays a menu of mailing or 
carrier services from the services card and re- 

20 quests the user to select a service. 

The terminal MPU 30 loads the selected ser- 
vice program from the service card and executes it, 
as indicated at block 118. For typical carrier ser- 
vices, the service program displays a standard 

25 carrier waybill form used by the selected canrier. 
For example, if the U.S. Postal Service Express 
Mail service is selected, the form shown in Rg. 9 is 
displayed. The form includes a carrier identification 
field 130, service class field 131, and pointers on 

30 the display for inserting information in fields 132- 
137 and 140-146. A waybill identification nurhber in 
t>ar code 138 and characters 139 is selected for 
the transaction and displayed. Preferably, the ser- 
vices card has a list of reserved waytnll numbers 

35 whk:h are sequentially incremented for each com- 
pleted transaction. If a transaction is not completed, 
the numk)er is saved for the next transaction. As 
described previously, the t>ar code can include a 
section which is an encryption of one element of 

40 the waybill information, so that the authenticity of 
the form can be verified by machine processing of 
the waybill. 

The services program as executed by the ter- 
minal MPU 30 next uses cursor prompts to request 

45 the user to provide infonnation for certain fields, 
such as the zip codes or origin and destination 132 
and 133, and the addresses of the sender and 
recipient 140 and 141. As the user supplies each 
item of information and presses an "Enter" key. the 

50 program causes the cursor to shift to the next field 
of information to be supplied, as indicated by the 
arrows C in Rg. 9. The date and time fields 134 
and 135 may be requested from the user or sup- 
plied from the temninal if it is provided with a clock 

55 and calendar. The weight 136 may be provided 
from the output of the scale 53, if connected to the 
terminal, or supplied by the user. The meter iden- 
tification number (MIN) is supplied by the terminal 
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for field 137. 

Based upon the origin and destination zip 
codes and weight, the postal amount, other service 
charges, and total maount 144-146 are calculated 
and displayed under program control using the rate 
card if appropriate. The total transaction amount is 
saved. If the "Print" key is depressed, the terminal 
program then sends the "commence" signal to the 
card MPU and printer MRU to execute the hand- 
shake procedure and debiting and printing oper- 
ations as previously described. If an "Auto" mode 
key of the terminal is depressed or the user elects 
to continue in response to a prompt, the terminal 
program returns to the t)eginning of the transaction 
loop indicated at block 113. The terminal operation 
Is terminated if the transaction loop is not contin- 
ued, or if tfie handshake procedure is not com- 
pleted. 

The terminal can be used to program and print 
the waybills of other selected carriers or servk»s 
by insertion of the proper user, rate and/or service 
cards. For convenience of the automated tenninal 
system, rt is desirable if all postal and waybill 
forms can be standardized to one or a limited 
number of form blanks. 

RefiMinglerrnlrial 

Another embodiment of the invention is the 
provision of a user card refilling terminal which 
may be maintained at any desired postal retail or 
distribution location for the convenience of the is- 
suer of the cards and users. A new amount can t>e 
"filled". i.e. credited to an authorized t>alance main- 
tained in the user card, and a master refilling card 
having a greater amount for distribution is cor- 
respondingly debited. In accordance with the prin- 
ciples of the invention, the secure handshake rec- 
ognition procedure is executed t>efore the transac- 
tion is authorized. The refilling terminal can also be 
used to validate new cards to be issued. 

An exemplary emt)odiment of the refilling ter- 
minal is shown in Rg. 10. having a first slot 161 for 
a master refilling card 160, a second sk)t 171 for a 
supervisor card 170. a third slot 174 for a user card 
10. a terminal microprocessor 30". a keytx)ard 31", 
and a display 32". Each card is of the type de- 
scribed previously, with secure microprocessors 
(MPU) 162. 172. and 60, respectively, in contact 
with respective terminal contacts 163, 173, and 
175. Switches 162a. 172a, and 176 provide detec- 
tion signals when the cards are inserted in their 
respective sk>ts. The operation of terminal MPU 
30" is enabled after insertion of a master card 160 
and a supervisor card 170. 

A master refilling card is initially purchased 
from a central issuer, such as the U.S. Postal 
Service, an authorized distributor for the central 



issuer, or a private carrier company. It is generally 
intended to be purchased by a local refilling entity 
which provides service to individual users, such as 
a bank branch, retail store, or corporate depart- 

5 ment. In the preferred embodiment, it is manufac- 
tured in a fixed denomination and remains locked 
until it is activated by a supervisor card of the 
central issuer. The encryption algorithms used for 
the handshake procedure are already written into 

10 its MPU firmware, and is enabled to execute the 
handshake procedure when the secret key number 
is installed by a supervisor card during the activa- 
tion procedure. Once activated, the master card 
balance is debited for refilling transactions until it is 

15 . used up. A history of all debiting transactions is 
maintained in the master card. 

A supervisor card is provided by the central 
issuer in the custody of an officer or manager of 
the local refilling entity and a supervisor PIN is 

20 assigned. The supervisor card is used to unlock all 
master cards sold to the refilling entity and to 
maintain a record of the serial numbers of the 
master cards for subsequent card confirmation pro- 
cedures. It is used to authorize crediting transac- 

25 tions to user cards, and maintains a transaction 
record of all refilling operations and the klentity of 
the recipient user cards. The supervisor card is 
manufactured with the handshake er)cryption al- 
gorithms in firmware, and may be provided by the 

30 central issuer with a secret key number to be 
installed in the master and user cards. The master 
and supervisor cards together allow user cards to 
be conveniently refilled at widely distributed local 
entities wittiout the need for on-line confirmation of 

35 each refilling transaction from the central issuer. 
AHematively, the user card can be refilled by the 
master card alone, with the haiYdshake procedure 
executed k)etween the user card's MPU and te 
master card's MPU. However, the use of a control- 

40 ling supervisor card is preferred as an additional 
level o security to deter counterfeiting or fraudulent 
use of the higher value master cards. 

The operation of the refilling terminal will now 
be described for the preferred three-card embodi- 

45 ment witii reference to the block diagram of Rg. 
11. Upon initiation of the terminal program, the 
master card is checked at block 180 to determine if 
it is already acthrated. If not. the terminal follows an 
activation procedure at block 181 of confirming the 

50 supervisor PIN, checking the master card serial 
numt)er. installing a secret key numfcter in the mas- 
ter card, executing the handsfiake procedure, then 
unlocking the master card's balance, and recording 
the master card's serial number, balance, date, and 

55 other transaction information. 

If the master card has already been activated, 
the supervisor card checks the master card serial 
number against its record of authorized master 
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cards. H the master card is unauthorized, the termi- 
nal program goes to an end procedure at block 
197. With an authorized master card, the terminal 
program checks if the user card inserted in the 
terminal is new or to be refilled. For a new user s 
card, the refilling terminal executes at blocks 190- 
193 a validation procedure which includes checking 
the designated card serial number with the number 
embedded in Ks memory, recording the user's 
identification information, and assigning a user PIN. io 
At bk>ck 192, the terminal prompts the operator for 
any limitations on the amounts or type of transac- 
tions the card can t>e used for, the identification 
numbers of the terminals to which the card is 
restricted, or an expiration date if required by the i5 
Issuer. The valklation procedure is completed by 
installing the secret key numt)er and sealing the 
secret memory zone. 

If the user card is to be refilled, the user PIN is 
confirmed, and then the card is checked for any 20 
k>alance to be credited toward the new amount or 
to the user's account. The old memory sectton is 
then locked from further transactions, and can only 
t>e used for reading out a transaction history. Upon 
a request for a new amount, either for a new card 2s 
that has been validated or for a card to t>e refilled, 
the terminal MPU 30" opens a handshake channel, 
and the handshake procedure previously descrit>ed 
is executed between the master MPU 162 and the 
supennsor MPU 172. When the handshake proce- so 
dure is completed, the master tjalance is debited 
and the supervisor card proceeds to open a new 
transaction memory section in the user card into 
which the new t>alance is written. The program 
then provides at block 197 an end selection of 3s 
further operations which may be carried out on the 
refilling terminal. For example, another refilling 
transaction may be processed, the supervisor card 
record may be updated, the newly validated user 
or master card may be emt)ossed with a serial 40 
number or account numbter if the terminal is con- 
nected to an embossing machine, or operations 
may be terminated. 

The described refilling system is protected at 
several levels of security. First, a supervisor card is 45 
required, and the user card must be validated by 
the user PIN. The master card must t>e validated 
by the supervisor card and must execute the hand- 
shake procedure before the user card is credited 
with a new amount. The card/terminal system has so 
the primary advantage that the debiting of the card 
t>alance is executed in the same time frame that 
the value dispensing operation is carried out. and 
the exchange can only t>e carried out for each 
transaction if the mutual handshake recognition 55 
procedure is executed t)etween the secure micro- 
processors controlling each part. Also, the central 
issuer purchases the card/terminal system from the 



manufacturer with a given set of encryption al- 
gorithms, and then selects a unique secret key not 
known to the manufacturer. Thus, penetration of the 
manufacturer's security will not compromise the 
security of the issuer's system. By issuing cards 
with defined expiration dates or series numt>ers 
and changing the secret keys periodically, an is- 
suer system can be made even more impenetrable 
to counterfeiters. 

The user's card is not merely a passive record 
of an account number and balance, but rather 
operates to affirmatively protect against unauthoriz- 
ed use of the card, for example, if a succession of 
incorrect PIN entries is made, if the card is used 
beyond its expiration date or in an unauthorized 
machine, or if a requested transaction is in excess 
of predetenmined limits. Similarly, the value dis- 
pensing part of the terminal is protected against 
tampering by the physical bonding of the printer 
microprocessor to the print head. 

Moreover, since the postal and refilling transac- 
tions are executed with cards issued by a central 
issuer take place only within the issuer's system, 
they are protected from counterfeit cards or cards 
issued by another system. One issuer's system 
thus remains closed to all other issuers systems, 
and several systems can use the same terminals 
without interference from the other. For example, 
the U.S. Postal Service and several private carriers 
can each constitute a separate issuer system is- 
suing its own cards. A user can purchase a card 
from each system and use the proper card in any 
terminal maintained at a local entity (branch post 
office, t>ank branch, local retail store) to generate 
authorized postage or a waybill for use in the 
corresponding system. Thus, users will have the 
t)enefit of secure and convenient access to a wide 
range of postal and carrier services. 

In the invention, the mk^roprocessor cards 
(user, master, and supervisor), memory cards (rate 
and special services), and terminals (metering, 
waybill printing, and refilling) comprise an inte- 
grated postal transaction system which provides a 
greatiy improved level of access, convenience, and 
security, compared to conventional postal ma- 
chines. The overall system is illustrated in Rg. 12. 
It allows widely issued user cards to be used in 
widely distributed postage metering and waybill 
printing terminals, with the appropriate rate and/or 
services cards, to access a plurality of postal and 
carrier services. The refilling terminals allows a 
central issuer to distribute postal monetary value to 
users at widely distributed locations. Strict physical 
access controls are not required, the need to limit 
the postal amounts and services obtainable by 
issued cards is reduced, in-person purchase trans- 
actions are avoided, and on-line confirmation by a 
central account office is ot>viated. The cards and 
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terminals are cvonfigured to be autonomous, yet 
mutual recognition and confirmation of validity and 
transaction amounts are required, thereby providing 
a high level of security for tfie system. 

Further, the invention is not limited to the de- 
scribed automated postal terminals. The principles 
of the invention can be adapted to any other value 
exchanging transaction where it is desired to use 
an account card in an off-line automated terminal 
system. Thus, the described smartcards and value 
dispensing terminals can also be used for dispens- 
ing cash, printing tickets, issuing coupons, etc., and 
the user can possess a variety of cards each 
issued by a central issuer for the convenient pur- 
chase of different articles of value. Also, by irr>- 
plementlng smartcard and terminal MPU programs 
which check for authorized machine identHicatk>n 
numbers and card serial numt)ers, or execute the 
handshake procedure with different algorithms 
and/or secret keys, an issuer's system can be 
configured so that the issuer's cards and terminals 
may be made open or restricted to certain families, 
series or locations.. 

The invention also encompasses other features 
which are useful adjuncts to the central concepts 
described abowe. For example, a transaction his- 
tory printer may be provided from which a user can 
print a record of transactions stored in the smar- 
tcard upon entry of the correct PIN. The various 
cards can be provided with notches on a border or 
coded key elements to prevent insertion of the 
wrong card in an incorrect terminal slot or in a 
terminal of another issuer system. Also, the inven- 
tion can t>e adapted for on-line transaction sys- 
tems. For example, the tenminal MPU can be con- 
nected by a telephone line or local network to a 
central processing office for approval of a transac- 
tion prior to execution of the transaction. OrHine 
confirmation may t>e desired for initialization and 
refilling transactions which are less frequent and of 
higher value than purchase transactions. As an- 
other security feature, the card or series of cards 
may be issued with encryption algorithms and/or 
secret key numbers which are changed periodi- 
cally, and the encryption algorithms and secret 
keys corresponding to cards presented for a trans- 
action can be loaded in the terminal at the time the 
tenninal MPU establishes an on-line connection to 
the central office. 

Based upon the foregoing disck>sure, many 
other peripheral features and modifications and 
variations on the principles of the invention will 
become apparent to persons familiar with auto- 
mated terminals and smartcard systems. It is ir>- 
tended that the embodiments and features de* 
scribed herein and all further features, modifica- 
tions, and variations toe included within the altowed 
scope of the invention, as it is defined in the 



appended claims. 
Claims 

5 1- A printer (40) for use with a transaction termi- 
nal (20) which has an input section (31) for 
inputting a request for printing a value indicia 
and an operating section (30) for enabling the 
terminal to execute the printing of the request- 

10 ed value indicia on an article, characterized in 
that: 

the printer (40) is formed as a separate 
section to the tenminal and has a printhead 
with a dedicated microprocessor (41) therein 

75 for controlling the printhead, 

a first ink supply is provided to supply a 
visible human-readable ink to the printhead; 

a secorKJ ink supply is provided to supply 
an invisible, machine-readable ink to the prin- 

20 thead; 

the terminal (20) has connecting lines for 
connecting the printhead mteroprocessor (41) 
to the operating section (30) of the terminal, 
and the operating section includes a stored 

25 program for receiving the value indicia request 
input to the terminal and sending a print in- 
struction to the printhead; and 

the printhead microprocessor (41) includes 
a stored program for receiving the print in- 

30 struction from tfie terminal operating section 
(30), printing the requested value indicia (75) 
with visible ink from the first ink supply on an 
article, generating an authentication code (79) 
which unkiuely corresponds to the requested 

35 value indk:ia, and printing the authentication 
code with invisible ink from the second ink 
supply on the article, whereby the printed visi- 
ble value Indicia can be sut>sequentiy verified 
as authentic by machine reading of the invisi- 

40 ble authentication code and comparing it to the 
visit)le value indk:ia. 

Z A printer for a transaction terminal according to 
Claim 1, wherein the printhead mkmprocessor 
45 (41) is physically permanentiy t)onded in the 
printhead such that it cannot be physically 
tampered with without disabling the printhead. 

3l a printer for a transaction terminal according to 
50 claim 1, wherein the printhead, printhead 
microprocessor (41), first ink supply, and sec- 
ond ink supply are physically incorporated to- 
gettier in a modular unit which is. removably 
mounted in the terminal. 

55 

4. A printer for a transaction terminal according to 
Claim 1, wherein the printhead microprocessor 
(41) includes a stored security programs incor- 
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porated therein for executing a security proce- 
dure through the terminal operating section to 
validate whether an input value indicia request 
Is a valid request and to enable the printhead 
to print the value indicia on the article only if 5 
the request has been validated. 

5. A modular printer for a transaction terminal 
(20) which has an input section (31) for input- 
ting a request for printing a value indicia and io 
an operating section (30) for enabling the ter- 
minal to execute the printing of the requested 
value indicia on an article, characterized in 
that 

the modular printer includes a printhead is 
* and a dedicated microprocessor (41) for con- 
trolling the printhead physically permanently 
bonded together such that the printhead micro- 
processor cannot be physically tampered with 
without disabling the printhead; ^ 20 

the modular printer is removably mounted 
in the terminal; and the modular printer In- 
cludes an interface coupled to the printhead 
microprocessor (41) for establishing an oper- 
ative data path connection to the terminal op- 25 
erating section (30) to receive a print instruc- 
tion signal from the terminal. 



postmark including a postage amount, and the 
printhead microprocessor executes the stored 
program to generate an authentication code 
uniquely corresponding to the postage amount 
to be printed. 

9. A modular printer according to Claim 5, 
wherein tiie visible indicia to be printed is a 
postmark including a postage amount, and the 
printhead microprocessor executes the stored 
program to encrypt the postage amount as a 
t>ar code, and to print the bar code as the 
Invisible authentication code witii the postmark. 



6. A modular printer according to Claim 5, further 
characterized in that a first ink supply is pro- 30 
vided for supplying a visible human-readable 

ink to the printhead, a second ink supply is 
provided for supplying an invisible, machine- 
readable Ink to the printhead, and the prin- 
thead microprocessor Includes a stored pro- as 
gram for controlling the printhead, upon receiv- 
ing a print inshuction signal from the terminal, 
in order to print a visible indicia with visible ink 
from the first ink supply, to derive an authen- 
tication code whk^h uniquely corresponds to 40 
the visible indicia, and to print the authentica- 
tion code as an invisible indicia with invisible 
ink from the second ink supply, whereby the 
printed indicia can be sut>sequentiy verified as 
authentic by nrtachine reading of the Invisible 45 
authentication code and comparing it to the 
visible indicia. 

7. A modular printer according to Claim 5. 
wherein the printhead microprocessor includes so 
a stored security program for validating wheth- 
er the print instruction signal received from the 
terminal is valid and for enabling the printhead 

to print only if the print instruction signal has 
been validated. 66 

& A modular printer according to Claim 5. 
v^erein the visible indicia to be printed is a 
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